However, their activities are often performed without visibility outside the asset on which they are working. What happens if they intentionally or accidentally endanger the confidentiality, integrity, or availability of an organization’s data? Without effective monitoring, privileged users can cause significant damage without ever being detected.

Dangers of Privileged User Accounts

The global footprint of IT assets (including cloud, virtualization, and big data), has created a need for more privileged user roles to manage the assets. As a result, unrestricted user privileges are often broadly assigned to roles and individuals to simplify the user management process and ensure they can do their job without triggering security alerts or being blocked from necessary assets.

Paradoxically, there are dangers associated with privileged user accounts, including:

Sharing account credentials. Some organizations assign a privileged user account to a role, rather than a specific user. Doing so reduces the ability to track personal accountability in the event of an intentional or accidental change to data or an asset.

Availability issue. Privileged users can misconfigure a component, thereby blocking access to a website or other resource. They could also change passwords, thus locking out authorized users.

Integrity issue. Privileged users can modify or delete data, including the audit logs that identify intentional or accidental changes to data.

Confidentiality issue. Privileged users can access personal identifying information (PII) or other confidential data, even though that access is not needed to perform their job.

High value of privileged user account. Privileged users are often targeted by Advanced Persistent Threat (APT) attacks. The goal is to dupe the privileged user into either revealing credentials or downloading malware. This gives the attacker a foothold into the network.

Malicious intent. Privileged users can deliberately endanger the organization’s data for personal gain, espionage, or other malicious purposes. They may act as a ‘lone wolf’ or partner with a hacking group or business competitor. Examples of malicious intent include:

Injecting a logic bomb, Trojan horse, backdoor, or malware into the organization’s system.

Block or Alert on Suspect Activity: Identify user behavior that deviates from normal access patterns, and alert and block suspicious activities that may indicate privilege abuse. Users performing unauthorized activities should be quarantined and their privileges should be reviewed. Audit reports and analytical tools are needed to support forensic investigations.

Identify Unauthorized Privileges Changes: Verify that changes to data objects and data systems are properly authorized. Unauthorized activities should be thoroughly investigated and controls should be implemented to prevent future incidents.

Separation of Duties: Ensure privileged users cannot monitor themselves, since they can alter security controls to conceal their irregular activities.

Eliminate Excessive and Unused Rights: Identify highly privileged users, verify that the privileges are necessary for the user’s role and duties, revoke excessive user rights, and remove dormant users.